The right to data portability

The GDPR gives the persons affected by the processing of personal data some data subject rights in Art. 13 ff GDPR. These serve the protection of personal data.

One of these data subject rights is the right to data portability according to Art. 20 GDPR. But what does data portability actually mean?

Sense and purpose

In the GDPR, the right to data portability was newly created compared to its legal predecessors. It is intended to give data subjects more control over their personal data (recital 68 of the GDPR). Thus, it should be significantly easier to change the controller.

This not only promotes systems that are more privacy-friendly in terms of competition policy, to which the data subjects want to switch, but also prevents bindings of the data subjects that are relevant under antitrust law. The legislator had in mind above all the binding of Internet service providers. In the same way, however, Art. 20 GDPR is also applicable to social networks, music streaming services, webmail applications, banks, insurance companies and all other data controllers.

Requirements

The conditions for exercising the right to data transfer are derived from Art. 20 DSGVO:

• The data subject must submit a request to the data controller.
• It must be invoked precisely by the data subject, that is, the data at issue must concern that person.
• The data must have been provided to the data controller by the data subject. This does not include data provided by third parties. Data determined from the data provided (e.g. by profiling) are also not included. Data that is merely linked to the data of third parties, on the other hand, is included as long as the rights and freedoms of other persons are not affected (Art. 20 IV GDPR), which must be assessed on a case-by-case basis.
• Processing by the controller is based on effective consent or a contract.
• The data is processed automatically.

What can the person concerned demand?

The right to data portability not only gives the data subject the right to request that the personal data provided to the controller be transferred out to him or her, but also the right to have the data transferred directly to a new controller by the original controller.

The original controller is then obliged to transmit the data in an interoperable, i.e. structured, common and machine-readable format. However, he is not obligated to maintain or adopt technically compatible data processing systems.

Implementation in practice

The scope of the right to data portability shows that this is an issue that data protection officers should address at an early stage. The respective data protection officer should be consulted in detail.

The first step is to clarify the extent to which the company could be affected by requests for data transfer and the amount of resources that would be required. It is also necessary to consider which of the company's data could specifically be affected by the right to data transfer and where exactly this data is stored.

When it then comes to a request for data transfer, the first thing that must always be done is to carefully clarify the identity of the person making the request. This process must also be documented so that it can be proven later.

Then there are also considerations to be made regarding the practical implementation of the transfer. Important points to consider here are formats that meet legal requirements and encryption (special attention must be paid to personal data in the special category).

If a data subject merely makes a request for data transfer, this does not automatically include a request for deletion of the data from the original controller, which actually contradicts the principle of data economy. The request for deletion of the data must be explicitly mentioned by the data subject.

In individual cases, it is therefore best to contact your data protection officer.